Virtual Private Server (VPS) security

You really like to talk out of both sides of your mouth, don’t you?!

(It was YOU that suggested that I could use a Shared Server in the first place?! Changing your mind…)

However, my argument for shared hosting is if you’re not even making $100, and you aren’t storing any overly sensitive information on there, the cost-to-risk comparison makes it so you could reasonably host an e-commerce site on a -reliable- shared host, at least until it started to pay for itself on a VPS.

Did you flunk out of logic class?

Tell you what, samanime, e-mail me your Full Name, Physical Address, Billing Address, and Credit Card Info and I promise to be really careful with it. Since I won’t charge you more than $100 to watch your information for you - electricity isn’t free you know?! - then you’ll have nothing to worry about!

(People don’t give a damn if I only make 1 cent! If their credit info is compromised because I cut corners, that doesn’t do them any good!)

If you can afford a VPS or dedicated without putting yourself in a hole that you might not get out of, then go for it.

If I cannot afford a secure solution, then maybe I shouldn’t put other people’s credit info at risk…

Everyone is entitled to their preferred approaches and opinions, but dangerous advice is not. Using a shared server for an e-commerce site is irresponsible, and I know if my Bank, my Credit Card Processor, or my Payment Gateway found out, they would flip!

Now back to my original question…

Is using a VPS to host an e-commerce site secure?

Well, not as secure as a Dedicated Server, but if it is configured right, I believe it should be secure enough for a temporary solution (i.e. a few months). But maybe some server admins out there have more experience with the “VPS vs Dedicated Server for an E-commerce Site” debate.

Thanks,

Debbie

You wouldn’t have secure stuff on HTTP… that defeats the point of having an SSL…

You’re assuming that all shared hosts just kind of drop files into place. A lot of (good) shared hosts have each individual website very isolated so it is generally hard for one website to influence another.

The main way websites get hacked is by someone using files they’ve put in their own website to affect their site. Getting across the border between different sites on shared hosts is quite difficult. It can happen, but odds are in your favor it won’t.

I’m not likely to convince you, but I still stand by my point. =p

I don’t talk out of both sides of my mouth.

I wouldn’t put any website that gets a ton of hits on a shared host, e-commerce or not. However, any smaller website, including e-commerce is valid on a shared host. Also, e-commerce sites exist on shared hosts, so SOMEONE must be doing it or they wouldn’t be offered all over the place… you don’t spend time and money setting up a product nobody uses. =p

There are ways to secure your site without storing everything on your server.

Like I said before, I’m not going to convince you, but I still stand by my point.

That wasn’t the point!

The point was that if your shared server is compromised, and thus your website gets compromised, that when your user is communicating with your website over HTTP - which on most website is everything up to checkout - then there is an opportunity to not only compromise the transaction, but the user’s computer.

One the server or connection or client is compromised, an HTTPS connection doesn’t do SQUAT!!! (If you and I walk into a bank vault, and I close the door and have a gun, I can do anything I want and that vault isn’t going to help you…)

Debbie

You just did talk out of both sides of your mouth, again!

Also, e-commerce sites exist on shared hosts, so SOMEONE must be doing it or they wouldn’t be offered all over the place…

Not too long ago it was legal to take box-cutters on commercials flights - liquid explosives too. That turned out to be not such a good idea. Of course, it was legal and at least a hadnful of people did it.

It is also still legal to sell cigarettes, and lots of people do it, but the consequences are scientifically proven.

Just because “the masses” do something doesn’t mean you should…

you don’t spend time and money setting up a product nobody uses. =p

You give such good advice in other forums, what is happening here? (I think we’ve found a few bulbs in the Christmas Tree Lights!)

Debbie

This reminds me of another topic I was in where someone thought I was saying different things, but I was really saying the same thing worded slightly differently.

Let me try again. Ignore inconsistencies you may see between other posts, they were only in the semantics of my words. I haven’t changed my opinion on anything since this thread started.

Is a shared host for an e-commerce site ideal?

• Absolutely not.
  Is a shared host for an e-commerce site a valid option?
• Yes, it is. It’s used everywhere, and a lot of payment gateways don’t even require you to have a VPS/dedicated.
  Is a VPS/dedicated host the best option?
• They’re better. A server you have physical control over is actually the best option.

You’re saying because I say sometimes shared hosts are good and sometimes they aren’t that I’m talking out of both sides of my mouth, but I’m not.

Sometimes walking to work is a good idea, sometimes driving to work is a good idea. That doesn’t mean I’m talking out of both sides of my mouth.

You were worried about affordability, so I brought up the most -affordable- option, which is shared hosting.

It’s all about risk analysis and how exactly you implement things.

Any server on the planet can be hacked WITHOUT EXCEPTION. How difficult it is to do so varies greatly based on a large number of factors. If you can reduce the risk down enough, using a shared host is a perfectly legitimate option.

I wouldn’t use a shared host that received lots of traffic FOR THE SAME REASON I WOULDN’T USE A SHARED HOST FOR ANY OTHER SITE THAT RECEIVES A LOT OF TRAFFIC, because of the differences in server resources.

Good shared hosts set up their servers in a way that isolates one from another. It’s just like a cartoon of eggs. Yes, one egg can break and that can spill into another, but because they are isolated, the odds of that happening are relatively low.

If you don’t store sensitive information on your website, test it regularly for vulnerabilities and hacks, etc., you can reduce the risk of sensitive data from being extracted.

And, once again: 99% of hacked shared hosts aren’t hacked because they’re on a shared host. They were hacked because they had vulnerabilities in their OWN files.

As for HTTP vs. HTTPS, yes, the HTTP doesn’t do any good if the client gets compromised or if your server gets compromised. But, an SSL doesn’t do any good if the client gets compromised or your server gets compromised either. You are very correct on that.

However, neither HTTP nor HTTPS is going to reduce the risk of your server getting compromised or the client getting compromised. All it does is encrypt the data when it’s transmitted between the client and your server so when you are hoping through those dozens of other servers it isn’t scooped up.

Do a little research on Google and you’ll see lots of people use shared hosts for e-commerce sites because they are affordable, and they haven’t been sued out of existence or hacked.

samanime,

That was a somewhat clearer response.

It’s nothing personal. (If you want personal, go bug Deathshadow!!)

We’ll just have to agree to disagree on this topic.

Debbie

P.S. So if I change my mind and get a Shared Plan, are you gonna let me use your credit card to do testing?!

The cPanel hosting model is anti-VPS - there’s one WHM management console that controls the whole server, and each shared environment gets a cPanel interface to work with their piece. There’s no WHM/cPanel environment for virtualization that allows the same level of master/slave control.

For that reason, you’ll never find a cPanel VPS host. You generally only find raw LAMP distros installed on VPSes.

You can however install cPanel (Plesk, etc.) on a single server, including a VPS. We were considering doing this on some of our virtualized servers because it simplified some of the other server administration stuff, not because we wanted multiple servers.

Just because cPanel exists on a server doesn’t mean it’s not a VPS.

(Granted, usually you won’t see it on an individual server, but it does happen. =))

Shared servers are more likely to have downtime too. Especially Microsoft shared servers where you’re likely to have an Access database that some programming newbie is writing bad code against…

Understood… but WHM specifically always occurs in a shared hosting environment - it’s a shared-host software… it happens to be the admin end of the cPanel suite, but I’m aware that cPanel is available individually and can be installed in a VPS… that’s a different beast than a “cPanel host” though. I’m not aware of any VPS host that offers cPanel as a default configuration option. Most are barebones LAMP installations, and most VPS customers prefer them that way.

Trust me, I’ve seen plenty of poorly designed newbish MySQL databases… some of them are even sold for money - as plugins for Joomla!!!